Tracking the tracking apps

As many national governments across the EU push forward in developing Covid-19 tracking apps, H+K Strategies Brussels’ Emma Pike discusses the EU’s role in tracking the trackers.

Writing in the FT in March 2020 Yuval Noah Harari wrote: ‘given a choice between health and privacy, most people will choose health…but this is a false choice. We can and should enjoy both health and privacy’.

As national governments reach out for technology to help manage the Covid-19 crisis, ensuring that tech solutions protect both health and privacy is high on the EU agenda. This is in line with the EU’s hard-won reputation as the world’s strongest advocate and defender of privacy.

Contact tracing apps allow for individuals testing positive for Covid-19 to send anonymous notifications to anyone with whom they have been in close proximity in the preceding days, advising them to test and self-isolate.

For the apps to be effective they must always be on to track the movements of each individual user. This has raised concerns about the potential for abuse of this information. Imagine a future in which a journalist and their sources, protesters, whistleblowers, or people with inconvenient political opinions could be tracked with a single click?

Aside from avoiding dystopian outcomes, building in privacy safeguards is also fundamental to the success of these apps. Studies suggest that a minimum of 60% of populations need to use the app in order for it to have any meaningful impact. If the apps fail to protect privacy, they could fail to protect health too, because people will not trust them enough to actually use them.

This is why a considerable amount of work at the EU and member-state level is going into the design of these apps.

But public health is a national rather than EU competence – and currently, European countries are taking different approaches to contact tracking apps, revealing differing levels of trust in technology and attitudes to privacy.

Belgium and Luxembourg are avoiding the use of contact tracing apps altogether, preferring to rely on old-school methods of interviewing Covid-19 patients about their recent contact history and contacting those people to suggest they test and self-isolate.

Austria, Estonia, Germany, Ireland, Italy and Switzerland are opting for decentralised Bluetooth-based tracing apps, underpinned by Google/Apple’s interoperable platform, where anonymised tracking data is stored on an individual’s device rather than on a central server. Numeric identifiers take the place of personal details and these identifiers are dynamic – changing several times a day to preserve anonymity. Notifications are sent directly from an infected person’s device to at risk contacts, without going through any centralised server or organisation.

France, Norway and the UK are currently outliers in pursuing a centralised approach, also Bluetooth based. Infected individuals are encouraged to share their recent contact history which is then stored centrally to inform government decisions on managing the pandemic. While the data stored are said to be anonymised, some observers question how anonymous the data really are, since the numeric identifier is fixed and if cross-checked with other data sets could reveal the identity of the person behind the number.

How these different approaches will play out when cross-border travel resumes remains to be seen. But already the EU is playing a key coordinating role, particularly in ensuring privacy standards are met. Contact tracing apps must meet the requirements of the GDPR and e-Privacy Directive. The EU has also issued guidelines and a toolbox on the development of tracing apps: essentially, apps must be approved by a national health authority, be privacy preserving, and be dismantled as soon as no longer needed. And crucially, they must be voluntary – meaning that there must be no adverse consequences for those who choose not to use them.

But setting the rules is only the first step. Scrutiny and enforcement when standards are not met is also key and requires close and ongoing coordination between the EU, national governments, national data protection authorities, and app stores and developers. The EU’s record on enforcing its privacy standards is less impressive than its rule setting – there have still been no fines for breaching the GDPR.

We may still be at the start of the pandemic – there may well be further waves. We are also still at the start of widespread use of technology to help combat it. As borders and airlines reopen, the idea of ‘immunity passports’ and temperature checks will be appealing to some, and troubling to others. And if countries were to make cross-border travel conditional on use of a contact tracing app, can the app really be said to be voluntary?

If ever there was a role for the EU and national data protection authorities, it is now. As the world’s privacy defenders, their role is to be eagle-eyed in tracking the tracking apps, vocal in calling out abuses of privacy, and persistent in repeating that data protection is not an obstacle to defeating the virus, but a key part of the solution.